MonitorWare Knowledge Base

I'm sorry if this has been discussed and I couldn't find it in search. I am running into the following error message when I try to write logs to a different directory than /var/log...

Jul 30 06:25:07 centos5-test rsyslogd: [origin software="rsyslogd" swVersion="2.0.0" x-pid="336"][x-configInfo udpReception="No" udpPort="514" tcpReception="No" tcpPort="0"] restart
Jul 30 06:25:07 centos5-test rsyslogd:/opt/firewall/log/fwlog: Permission denied
Jul 30 06:25:07 centos5-test rsyslogd:last message repeated 2 times
Jul 30 06:25:07 centos5-test kernel: rklogd 2.0.0, log source = /proc/kmsg start

The corresponding section in my rsyslog.conf is as follows:

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
:msg, contains, "[FIREWALL]" |/opt/firewall/log/fwlog
:msg, contains, "ll header" |/opt/firewall/log/fwlog
:msg, contains, "martian source" |/opt/firewall/log/fwlog

I have tried it with and without the pipes and get the same error messages. Rsyslog is running as root, and root has full rwx to the path /opt/firewall/log. I haven't found much on the Internet in general or in the rsyslog docs themselves about writing to log files in non /var/log directories. Any assistance that you could give me would be greatly appreciated...

Thank you.


PS: I'd rather be running a newer version of rsyslog, however, I am trying to stick with pre-compiled binaries for a specific reason, and there are none for RHEL 5/CentOS 5.

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

This smells like SELinux. Do you see any warnings or violations? Unfortunately, I am a novice at SELinux and can not provide much more information. For a test, you may want to simply put it into permissive mode (and re-enable thereafter). Then we know if it is the cause or not.

rgerhards wrote:This smells like SELinux. Do you see any warnings or violations? Unfortunately, I am a novice at SELinux and can not provide much more information. For a test, you may want to simply put it into permissive mode (and re-enable thereafter). Then we know if it is the cause or not.

Good call. SElinux is the issue with that. Now it won't create a new file named fwlog... I get the following error:

Jul 30 06:39:57 centos5-test rsyslogd: [origin software="rsyslogd" swVersion="2.0.0" x-pid="2023"][x-configInfo udpReception="No" udpPort="514" tcpReception="No" tcpPort="0"] restart
Jul 30 06:39:57 centos5-test rsyslogd:/opt/firewall/log/fwlog: No such file or directory
Jul 30 06:39:58 centos5-test rsyslogd:last message repeated 2 times
Jul 30 06:39:57 centos5-test kernel: rklogd 2.0.0, log source = /proc/kmsg started.

This sounds like /opt/firewall or /opt/firewall/log does not exist. I haven't checked the code, but I think (think!) that directories are only created when dynafiles are used. Files are always created. But I may be wrong here...

rgerhards wrote:This sounds like /opt/firewall or /opt/firewall/log does not exist. I haven't checked the code, but I think (think!) that directories are only created when dynafiles are used. Files are always created. But I may be wrong here...

/opt/firewall/log exists. It was the pipes. Apparently you cannot use pipes if the file doesn't exist. I changed it from |/opt/firewall/log/fwlog to /opt/firewall/log/fwlog and it worked.

Thank you for your assistance. Now if only I could get the RHEL and/or CentOS maintainers to package up a newer version of the rsyslog binaries.....

ftanner wrote:

rgerhards wrote:/opt/firewall/log exists. It was the pipes. Apparently you cannot use pipes if the file doesn't exist. I changed it from |/opt/firewall/log/fwlog to /opt/firewall/log/fwlog and it worked.

Oh, yes - the pipes. I overlooked that Glad it works now.

rgerhards wrote:

ftanner wrote:

rgerhards wrote:/opt/firewall/log exists. It was the pipes. Apparently you cannot use pipes if the file doesn't exist. I changed it from |/opt/firewall/log/fwlog to /opt/firewall/log/fwlog and it worked.

Oh, yes - the pipes. I overlooked that Glad it works now.

I appreciate the rapid response. I'm a newbie to rsyslog, having switched over from syslog-ng. There's a bit of a learning curve....hehehe